Real-time virus scanning is an important part of any anti-virus strategy. Real-time scanning protects your system between full scans by scanning each floppy boot sector and every program that you run. This includes programs loaded from CD-ROMs and other sources.
VIRSTOP.EXE is a Terminate-and-Stay-Resident (TSR) program that provides behind the scenes real-time virus scanning in DOS before allowing programs to run.
By default, the installation program places the command for activating VIRSTOP.EXE and NOVCAST.EXE as the last two lines in your AUTOEXEC.BAT file. If necessary, you can change their location in that file.
Where you load VIRSTOP.EXE depends on your network. Many network shells take over the "load and execute" function of DOS.
As an alternative to loading VIRSTOP.EXE from the AUTOEXEC.BAT, you can load VIRSTOP.EXE from CONFIG.SYS. This alternative provides anti-virus protection as early as possible by beginning protection almost as soon as you start your computer. The command line is:If you have installed Command AntiVirus elsewhere on your hard drive, be sure to substitute the correct drive and directory path. If you are loading the device driver HIMEM.SYS, make sure that HIMEM.SYS appears before the following line:DEVICE=C:\F-PROT\VIRSTOP.EXEIf you load VIRSTOP.EXE prior to either a network redirector call (such as IPX or NETX) or a TSR program that uses INT 21h, you must use one of the following commands to turn on real-time scanning:DEVICE=C:\F-PROT\VIRSTOP.EXE
If you load VIRSTOP.EXE through CONFIG.SYS, this switch automatically rehooks INT 21h after running EMSNETX.EXE, XMSNETX.EXE or NETX.EXE from your AUTOEXEC.BAT.
Add /AUTOHOOK to the DEVICE=VIRSTOP driver line in your CONFIG.SYS. For example:DEVICE=C:\F-PROT\VIRSTOP /AUTOHOOK /WARM /BOOT /COPY /XMS
Use this switch to manually rehook INT 21h if you:
Should one of the above conditions exist, add the following line to the end of your AUTOEXEC.BAT:
- Load VIRSTOP.EXE and either a network redirector call (other than EMSNETX.EXE, XMSNETX.EXE OR NETX.EXE) or a TSR program that uses INT 21h.
- Load VIRSTOP.EXE real-time protectionnetwork through CONFIG.SYS and have multiple network redirector calls in AUTOEXEC.BAT.
- Load VIRSTOP.EXE through CONFIG.SYS and load TSR programs that use INT 21h through AUTOEXEC.BAT.C:\F-PROT\VIRSTOP /REHOOK
|NOTE: To make sure that VIRSTOP is working properly, you can run the F-TEST utility. For more information, refer to Test Utilities in the Network Administration chapter.|
Use the following table to help select a suitable location for VIRSTOP.EXE:
Network VIRSTOP.EXE None VIRSTOP.EXE may be loaded in the CONFIG.SYS or the AUTOEXEC.BAT file. NetWare VIRSTOP.EXE should be loaded after the call for the network redirector in your AUTOEXEC.BAT. If you load VIRSTOP.EXE prior to either a network redirector call or a TSR program that uses INT 21h, refer to Loading VIRSTOP.EXE located previously in this chapter. Banyan Vines VIRSTOP.EXE should be loaded after the call for the network redirector in your AUTOEXEC.BAT. If you load VIRSTOP.EXE prior to either a network redirector call or a TSR program that uses INT 21h, refer to Loading VIRSTOP.EXE located previously in this chapter.
|VIRSTOP.EXE uses a simpler, faster scan engine than F-PROT.EXE. If the virus is not in the database of virus signatures, VIRSTOP.EXE will not stop the file from running.|
You should not use VIRSTOP.EXE as a replacement for scanning. Always use VIRSTOP.EXE in conjunction with regular manual and/or scheduled scanning practices.
VIRSTOP can scan during file copies and it can scan the boot sector of floppy disks during a disk access. You can access those and other features by entering command line switches when you load VIRSTOP.
|NOTE: Systems using a version of DOS earlier than version 3.0 must load VIRSTOP.EXE from the F-PROT directory.|
The following switches only work when you load VIRSTOP for the first time. VIRSTOP.EXE cannot be resident in memory. You must restart the system to change them.
Switch Description /? Displays a list of valid parameters when you type VIRSTOP /? from the command line. Do not use this with other switches. /DISK:X Loads the virus signatures from disk X ,which reduces VIRSTOP's conventional memory requirements to only 4K. This switch requires running VIRSTOP from a disk that will not change, such as a hard disk. If you use this switch from a floppy disk and then remove the disk, VIRSTOP fails. /FREEZE Forces a computer "lockup" when the program finds a virus in memory. You can select this switch to force users to take appropriate action. /NOMEM Skips the initial memory scan. Typically, if you use Command AntiVirus in your AUTOEXEC.BAT file to check memory, there is no need to run a memory scan again in such a short period of time. /OLD Does not display the expiration message. If you update the product regularly, this message should not appear. /XMS [default] Stores the virus signatures in extended memory, which reduces VIRSTOP's conventional memory requirements to only 4K. If XMS memory cannot be found, the /DISK switch should be used to save conventional memory.
NOTE: The switches shown in the table above work in both load and run-time commands.
Although the following switches work at load-time, you can also use them after VIRSTOP.EXE is resident in memory.
Switch Description /? Displays a list of valid parameters when you type VIRSTOP /? from the command line. Do not use with other switches. /AUTOHOOK Automatically rehooks INT 21h after running EMSNETX.EXE, XMSNETX.EXE or NETX.EXE. For more information, refer to Real-time Protection located previously in this chapter. /BOOT [default] Scans the boot sectors of floppy disks when the disks are accessed. A warning message appears if the program finds a virus. /COPY Scans files for viruses when the system opens the file. /NOBOOT Does not check the boot sectors of floppy disks when the system accesses the disks. /NOCOPY [default] Turns off the scan during copy. /NOTRACE Sets compatibility with 386Max manager and Cyrix CPUs. /NOWARM Turns off the /WARM boot scan. /QUIET Does not display a warning message. /REHOOK Manually rehooks INT 21h. /REHOOK also allows VIRSTOP to scan a file before NETX runs the file. For more information, refer to Real-time Protection located previously in this chapter. /WARM [default] When you press Ctrl+Alt+Del, VIRSTOP scans the floppy in drive A: for boot sector viruses. If the program finds a virus, a warning message appears.
NOTE: You can use /REHOOK in a NetWare login script.
Command AntiVirus allows you to customize VIRSTOP's default switches as well as the message that the system displays when VIRSTOP detects a virus.
In DOS you can make these changes by running the utility, VSCONFIG.EXE.
When VIRSTOP detects a virus the system displays a message. The default message notifies you of the virus type and location. For example:Boot sector virus found on drive a:For more information, refer to the Network Administration chapter.
VIRSTOP.EXE ships with some of its switches already set. These default switches determine VIRSTOP's actions in the absence of any command line switches.
|If you do not specify any switches on the command line, VIRSTOP uses the defaults. If you do specify switches on the command line, the system ignores the defaults.|
You can change the default switches by making changes to the VSCONFIG.EXE file. Once you change the settings, VIRSTOP loads them automatically without any DOS command line switches being necessary.
VSCONFIG.EXE is a utility that allows you to make changes to VIRSTOP's default settings. The following instructions will help you through the change process:
- At the DOS command line, type CD \F-PROT
or change to the directory in which VIRSTOP.EXE resides
- Type VSCONFIG
- Press Enter. The system displays the following screen containing the current custom message and default switch settings:
VSCONFIG Screen 1
If you type M at the Option: prompt, the program allows you to create a new message that can contain up to 77 characters. When you have completed the message, press Enter.
When the Option: prompt returns, you can continue with changing the default switches or ending the program.
If you type S at the Option: prompt, the program displays the following questions (with the current setting shown in brackets) one-by-one.
The program allows you to change the setting between Yes and No. When you have typed your new answer, press Enter. The program moves you on to the next question. If you do not want to change a particular setting, just press Enter and the program fills in the default value.
VSCONFIG Screen 2
When the Option: prompt returns, you can continue with ending the program.
If you type Q at the Option: prompt, the program asks if you would like to save the changes that you made to VIRSTOP.EXE. Type Y to save the changes.
Whatever changes you have made in VSCONFIG take effect the next time you load VIRSTOP. If VIRSTOP is already running, you need to restart your computer.
Reinstalling Command AntiVirus overwrites the current VIRSTOP settings, returning them to their default values. You can use the following method to preserve your customized VIRSTOP settings.
Using VSCONFIG's SAVE Parameter
To preserve your customized VIRSTOP settings, you must use VSCONFIG.EXE with the SAVE parameter. This parameter creates an ASCII text file containing the VIRSTOP settings. When you reinstall Command AntiVirus, you can load this file which reinstalls your customized settings.
For example, if you want to save your customized VIRSTOP settings to the file, VSTOPSET.TXT, type the following command at the command line and press Enter:VSCONFIG SAVE VSTOPSET.TXTThe file name that you create for saving your VIRSTOP settings can be any name that conforms to the standard, 8-character file name.3character extension, DOS file-naming convention.
Using VSCONFIG's LOAD parameter
After reinstalling Command AntiVirus, you can use VSCONFIG'S LOAD parameter to reinstall your customized VIRSTOP settings.
For example, if you want to reinstall your customized VIRSTOP settings that are in the file, VSTOPSET.TXT, type the following command at the command line and press Enter:VSCONFIG LOAD VSTOPSET.TXT
F-MACRO is a DOS utility that searches Word 6.x and above document files for known Word macro viruses and disinfects them by disabling and overwriting the viral macros. This utility also searches Excel, version 5.0 and above, .XL? files for Excel macro viruses.
The following table lists the F-MACRO command-line switches:
Switch Description /ALL Scans files with any extension. /APPEND Use with /REPORT. Appends the screen output to an existing report. /AUTO Automatically disinfects. The program does not prompt you before disinfecting. /DISINF Disinfects infected documents. /IDENTIFICATION Lists the macro viruses that Command AntiVirus detects/disinfects. /LIST Lists all scanned file names. /NOBREAK Does not end the scan if you press ESC. /NOSUB Does not include subdirectories. /REMNANTS Used with /DISINF. Deletes all macros in a document if a new or modified variant or remnants of a macro virus are found (Word only). /REMOVEALL Deletes all macros in all scanned documents (Word only) whether or not they are infected. /REPORT= Sends the output to a file. /RERENAME Use with /DISINF. Renames file names changed by an F-PROTW.EXE scan back to their original file names. For example, changes *.VOC files to *.DOC. /SILENT Does not produce any screen output.
This list of options is available from a help screen in F-MACRO. In the directory where F-MACRO.EXE is located (installation directory), type: F-MACRO and press Enter.
To use F-MACRO, give the scan path or drive as the first parameter. For example:F-MACRO C:
F-MACRO C:\DOCS /ALL /AUTO
F-MACRO Z:\USER\INFECTED.DOC /BACKUP /DISINF
|NOTE: Pressing the Esc key during a scan provides you with the option (Yes/No) of ending the scan.|
|The /REMOVEALL switch deletes all macros from all scanned documents whether or not they are infected.|
Use the /REMNANTS switch with /DISINF. When FMACRO reports that a document contains a new or modified variant of a macro virus or that it contains remnants of a macro virus, this switch deletes all of the macros in the document.
|Because of this process, you must be careful when disinfecting your global document templates, for example, NORMAL.DOT.|
|NOTE: When F-MACRO finds an exact identification for a macro virus, the program only deletes those macros responsible for the infection.|
Use the /RERENAME switch with /DISINF. /RERENAME returns changed file names to their original file names.
For example, when F-PROTW.EXE is configured to rename infected files, the program changes the first letter of the file's extension to a V. An infected file called DESKTAB.EXE would be renamed to DESKTAB.VXE. Running F-Macro with the /RERENAME switch returns the file name to DESKTAB.EXE.
The following command returns files with a .VOC extension back to their original Microsoft .DOC extensions. In this example, voc represents the file extension.F-MACRO /ext=voc /RERENAME /DISINF
|NOTE: To be able to scan all document files, you should close Word and Excel before running F-MACRO. If you do not, NORMAL.DOT and possibly other files will remain locked. F-MACRO displays a warning message on these files.|
If you have document files with non-standard extensions (something other than DOC, DOT, XLS, or XLT), use the /ALL switch to check all files.
F-MACRO will turn infected documents back into normal document type, removing the template attribute if it was added by virus.
F-MACRO returns the following codes which you can check with the ERRORLEVEL command from a batch file. Use this command in your AUTOEXEC.BAT file to warn you if F-MACRO.EXE finds a problem.
F-MACRO.EXE RETURN CODES
Return Codes Descriptions 0 Normal exit. No viruses were found. 1 Abnormal termination-unrecoverable error. This is often the result of a missing system file. 3 A macro virus infection has been found. 6 At least one virus was removed. This code is meaningful only when used to scan a single file. 8 Found something suspicious. Invalid program files. Usually indicates corrupt files. 9 Had a problem with at least one file.
The three F-MACRO files F-MACRO.EXE, MACRO.DEF, and F-MACRO.TXT are located in the installation directory.
You can download updates to these files, when available, from the Command Software Systems World Wide Web and FTP sites.
The file that you will update most frequently is the MACRO.DEF file. This file contains the macro virus signatures. When virus signature updates are available, replace the MACRO.DEF file. To ensure that the latest virus signatures are active, the new MACRO.DEF file must be in the same directory as F-MACRO.EXE.
|We recommend that you always make a backup copy of important document files before disinfecting them. This insures that your information is saved in case the file becomes corrupted during disinfection. You can then call your local support representative for further assistance.|
For more information about backing up your files, refer to your operating system reference manual.
The Command Software Systems web site has up-to-date descriptions on the operation and effects of macro viruses. Refer to the macro section at http://www.commandcom.com.
For a current list of macro viruses detected by F-MACRO, type:F-MACRO /IDENTIFICATION
FP.EXE is a DOS utility that allows you to run F-PROT.EXE and F-MACRO.EXE sequentially. The program begins a scan using F-PROT.EXE and then continues with a scan using F-MACRO.EXE.
You can use any of the command line switches for these two programs. FP.EXE passes the switches to the appropriate program.
For example, the following command begins an F-PROT.EXE scan of drive D. If F-PROT.EXE finds a virus, the system sounds a beep and the virus is disinfected if possible. When this process is complete, the program begins an F-MACRO.EXE scan of drive D. If F-MACRO.EXE finds a virus, the virus is disinfected if possible, but the system does not sound a beep when the virus is found.
In the directory where FP.EXE is located type:FP D: /DISINF /BEEP